b' DEPARTMENT OF HOMELAND SECURITY\n\n       Office of Inspector General\n\n\n     Evaluation of DHS\xe2\x80\x99 Information Security \n\n          Program for Fiscal Year 2007 \n\n\n\n\n\nOIG-07-77                          September 2007\n\x0c\x0cTable of Contents/Abbreviations \n\n\n  Executive Summary ....................................................................................................................... 1 \n\n\n  Background .................................................................................................................................... 2 \n\n\n  Results of Independent Evaluation ................................................................................................ 3 \n\n\n  Recommendations........................................................................................................................ 13 \n\n\n  Management Comments and OIG Analysis ................................................................................ 13 \n\n\nAppendices\n  Appendix A:                Purpose, Scope, and Methodology.................................................................. 15 \n\n  Appendix B:                Management Response to Draft Report.......................................................... 17 \n\n  Appendix C:                FISMA Scorecard and C&A Steady State Scorecard for July 2007............... 22 \n\n  Appendix D:                FY 2007 Monthly Component FISMA Scorecard Grades ............................. 25 \n\n  Appendix E:                FISMA System Inventory and Certification and Accreditation, Security\n                             Controls Testing, and Contingency Plan Testing ........................................... 26 \n\n  Appendix F:                Evaluation of Agency Oversight of Contractor Systems and Quality of\n                             Agency System Inventory............................................................................... 28 \n\n  Appendix G:                Evaluation of Agency Plan of Action and Milestones Process....................... 29 \n\n  Appendix H:                IG Assessment of the Certification and Accreditation Process ...................... 30 \n\n  Appendix I:                IG Assessment of Agency Privacy Program and Privacy Impact\n                             Assessment Process ........................................................................................ 31 \n\n  Appendix J:                Configuration Management ............................................................................ 32 \n\n  Appendix K:                Incident Reporting .......................................................................................... 33 \n\n  Appendix L:                Security Awareness Training, Peer-to-Peer File Sharing, and\n                             E-Authentication Risk Assessments ............................................................... 34 \n\n  Appendix M:                Major Contributors to this Report................................................................... 35 \n\n  Appendix N:                Report Distribution ......................................................................................... 36 \n\n\nAbbreviations\n  ATO                        Authority to Operate    \n\n  C&A                        Certification and Accreditation   \n\n  CBP                        United States Customs and Border Protection \n\n  CIO                        Chief Information Officer \n\n  CISO                       Chief Information Security Officer   \n\n  CONOPS                     Concept of Operations     \n\n  DHS                        Department of Homeland Security     \n\n  FEMA                       Federal Emergency Management Agency        \n\n  FIPS                       Federal Information Processing Standards    \n\n\n                              Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\x0cTable of Contents/Abbreviations \n\n  FISMA      Federal Information Security Management Act\n  FLETC      Federal Law Enforcement Training Center\n  FY         Fiscal Year\n  ICE        United States Immigration and Customs Enforcement\n  ISSM       Information Systems Security Manager\n  ISSO       Information Systems Security Officer\n  IT         Information Technology\n  NIST       National Institute of Standards and Technology\n  NPPD       National Protection and Programs Directorate\n  OIG        Office of Inspector General\n  OIS        Office of Information Security\n  OMB        Office of Management and Budget\n  POA&M      Plan of Action and Milestones\n  PIA        Privacy Impact Assessment\n  PII        Personally Identifiable Information\n  PTA        Privacy Threshold Analysis\n  S&T        Science and Technology\n  SP         Special Publication\n  TSA        Transportation Security Administration\n  US-CERT    United States Computer Emergency Readiness Team\n  USCG       United States Coast Guard\n  USCIS      United States Citizenship and Immigration Services\n  USSS       United States Secret Service\n  US-VISIT   United States Visitor and Immigrant Status Indicator Technology\n\n\n\n\n             Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                We conducted an independent evaluation of the Department of Homeland\n                Security\xe2\x80\x99s information security program and practices to comply with the\n                Office of Management and Budget\xe2\x80\x99s reporting requirements noted in the\n                Federal Information Security Management Act of 2002 (Public Law 107-347,\n                Section 301-305). We evaluated the department\xe2\x80\x99s progress in implementing\n                its agencywide information security program. In doing so, we specifically\n                assessed the department\xe2\x80\x99s Plan of Action and Milestones, as well as its\n                certification and accreditation processes. We performed our work at both the\n                program and the component levels.\n\n                The department continues to improve and strengthen its security program.\n                During the past year, the department implemented a performance plan to\n                measure the component\xe2\x80\x99s progress toward full compliance with its\n                information security program. The performance plan tracks key elements\n                indicative of a strong, functioning security program. Monthly, the\n                department\xe2\x80\x99s Chief Information Officer and Chief Information Security\n                Officer report on and discuss component progress. Despite this oversight,\n                components are again not executing all of the department\xe2\x80\x99s policies,\n                procedures, and practices. For example:\n                \xe2\x80\xa2 \t Systems are being accredited without key documents or missing key\n                    information.\n                \xe2\x80\xa2 \t Plans of Action and Milestones are not being created for all information\n                    security weaknesses.\n                \xe2\x80\xa2 \t Plans of Action and Milestones are not being monitored and resolved in a\n                    timely manner.\n                \xe2\x80\xa2 \t Baseline security configurations are not being implemented for all\n                    systems.\n                Management oversight of the component\xe2\x80\x99s implementation of the\n                department\xe2\x80\x99s policies and procedures needs to be improved to ensure the\n                quality of the certification and accreditation process and that all information\n                security weaknesses are tracked and remediated. Other information security\n                program areas that need improvement include security configuration\n                management, incident detection and analysis, and security training.\n\n                We are making five recommendations to the Chief Information Officer. The\n                department has already begun to take actions to implement the\n                recommendations. The department\xe2\x80\x99s response is summarized and evaluated in\n                the body of this report and included, in its entirety, as Appendix B.\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                             Page 1\n\x0cBackground\n             Due to the increasing threat to information systems and the highly networked\n             nature of the federal computing environment, Congress, in conjunction with\n             the Office of Management and Budget (OMB), requires an annual review and\n             reporting of agencies\xe2\x80\x99 compliance with the Federal Information Security\n             Management Act (FISMA). FISMA focuses on the program management,\n             implementation, and evaluation of the security of unclassified and national\n             security systems.\n\n             The E-Government Act of 2002 (Public Law 107-347, Sections 301-305)\n             recognized the importance of information security to the economic and\n             national security interests of the United States. Information security means\n             protecting information and information systems from unauthorized access,\n             use, disclosure, disruption, modification, or destruction. Title III of the\n             E-Government Act, entitled FISMA, provides a comprehensive framework to\n             ensure the effectiveness of security controls over information resources that\n             support federal operations and assets.\n\n             FISMA requires each federal agency to develop, document, and implement an\n             agencywide security program. The agency\xe2\x80\x99s security program should protect\n             the information and the information systems that support the operations and\n             assets of the agency, including those provided or managed by another agency,\n             contractor, or other source. As specified in FISMA, agency heads are charged\n             with conducting an annual evaluation of information programs and systems\n             under their purview, as well as assessments of related security policies and\n             procedures. Offices of Inspector General (OIG) must independently evaluate\n             the effectiveness of an agency\xe2\x80\x99s information security program and practices\n             on an annual basis.\n\n             OMB issued memorandum M-07-19, FY 2007 Reporting Instructions for the\n             Federal Information Security Management Act and Agency Privacy\n             Management, on July 25, 2007. The memorandum provides updated\n             instructions for agency and OIG reporting under FISMA. This annual\n             evaluation summarizes the results of our review of the Department of\n             Homeland Security\xe2\x80\x99s (DHS\xe2\x80\x99) information security program and practices.\n\n             The Chief Information Security Officer (CISO) leads the Office of\n             Information Security (OIS) and is responsible for managing DHS\xe2\x80\x99 information\n             security program. To aid in managing its security program, DHS developed a\n             process for reporting and capturing known security weaknesses in Plan of\n             Action and Milestones (POA&Ms). In addition, DHS uses an enterprise\n             management tool, Trusted Agent FISMA, to collect and track data related to\n             all POA&M activities, including weaknesses identified during\n             self-assessments, and certification and accreditation (C&A). Trusted Agent\n\n              Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                         Page 2\n\x0c                      FISMA also collects data on other FISMA metrics, such as the number of\n                      systems that have implemented DHS security configurations and the number\n                      of employees who have received information technology (IT) security\n                      training.\n\n                      DHS also uses an enterprise C&A tool, Risk Management System, to\n                      automate and standardize portions of the C&A process to assist the DHS\n                      components in quickly and efficiently developing their security accreditation\n                      packages. See Figure 1 for an illustration on how the enterprise management\n                      and C&A tools are used within the department to collect, manage, and report\n                      information security metrics.\n\n                      Figure 1: DHS\xe2\x80\x99 Enterprise Security Management Tools Usage\n\n                           DHS 4300                                      C&A Tool                                        Data Review Teams\n\n                       FISMA Requirements                       System Security Plan (SSP)                                     DHS\n                                                                                                                            Compliance\n                       OMB/NIST Guidance                   Requirements Traceability Matrix (RTM)                             Review\n                                                                                                                              Teams\n                                                             Security Assessment Report (SAR)\n                       Other Requirements\n                                                                  Sample Test Procedures\n                                Component IT Security                                                                          OIG\n                                Program Implementation                  Test Results\n\n                                                                     Contingency Plans               Data Verification\n                                           IT System                                                     and Review\n                                      Implementations                                                                       Component/\n                                                                                                                             Domain\n                                                                              Future Link                                     ISSM\n                            DHS\n                         Component/\n                                                                FISMA Reporting Tool\n                           Domain\n\n                                                            System and Program Security Metrics\n                                          Monthly Status\n                                          Updates          Plan of Action and Milestones (POA&M)\n                                                                                                    FISMA Reports              OMB\n                                                             Annual Assessment Questionnaire\n\n                                                               Summary of C&A Status/Docs\n\n                                                                          Reports\n\n                                                                     Digital Dashboard               Metrics\n                                                                                                                              DHS\n                                                                                                     Digital Dashboard     Management\n\n\n\n                      Source: DHS 4300A Sensitive Systems Handbook, Attachment E \xe2\x80\x93 FISMA Reporting\n\n\n\nResults of Independent Evaluation\nWe separated the results of our evaluation into seven FISMA areas. For each area, we identified the\nprogress that DHS has made since our Fiscal Year (FY) 2006 evaluation and those issues that need\nto be addressed to be successful in the FISMA area.\n\n              Department Oversight\n\n                      DHS validates and monitors component progress through a verification\n                      process and a monthly FISMA scorecard. Improvements are needed in the\n                      level of oversight and the metrics being used to monitor component progress.\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                                           Page 3\n\x0cPROGRESS\n\n\xe2\x80\xa2 \t The CISO developed the Fiscal Year 2007 DHS Information Security\n   Performance Plan \xe2\x80\x9cRaising the Bar\xe2\x80\x9d to hold the components to a higher\n   C&A process standard, improve the POA&M process, close high-priority\n   weaknesses, and require components to achieve full FISMA compliance.\n\xe2\x80\xa2 \t The CISO developed a FISMA scorecard to manage the component\xe2\x80\x99s\n   compliance with the performance plan. The FISMA scorecard provides\n   the Chief Information Officer (CIO), the CISO, component CIOs, and\n   component Information System Security Managers (ISSM) with an\n   overview of each component\xe2\x80\x99s compliance with six FISMA elements.\n   The FISMA elements include annual testing, POA&M, C&A,\n   configuration management, incident detection and response, and IT\n   security training. See Appendix C for an example of the FISMA\n   scorecard.\n\xe2\x80\xa2 \t Throughout the year, the CISO revised the department\xe2\x80\x99s baseline IT\n   security policies and procedures in the DHS Sensitive Systems Policy\n   Directive 4300A and its companion, DHS 4300A Sensitive Systems\n   Handbook.\n\xe2\x80\xa2 \t DHS issued its DHS Security Operations Concept of Operations\n   (CONOPS) in May 2007. The CONOPS defines the security operations\n   for the DHS Security Operations Center and subordinate component\n   security operation centers. The CONOPS established the roles and\n   responsibilities of the DHS Security Operations Center as the central\n   reporting and coordinating body for computer security incidents.\n\xe2\x80\xa2 \t The CISO implemented a data review and verification process of the\n   component performance information entered into Trusted Agent FISMA,\n   including C&A artifacts, POA&Ms, configuration management, National\n   Institute of Standards and Technology (NIST) Special Publication (SP)\n   800-53 self-assessments, and IT security training.\n\xe2\x80\xa2 \t The CIO has taken an active role in ensuring that components comply with\n   FISMA. The CIO sent memorandums to the leaders of four components\n   (Federal Emergency Management Agency (FEMA), Infrastructure\n   Operations, United States Coast Guard (USCG), and United States\n   Citizenship and Immigration Services (USCIS)) in April 2007 voicing his\n   concern over the status of their FISMA compliance. The CIO requested\n   immediate attention to complete the required areas that were in need of\n   improvement, for example, C&A, annual self-assessments, and POA&M\n   management.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                            Page 4\n\x0c      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2 \t Certain metrics in the performance plan, used by the CISO to grade the\n         components, need improvement in order to better reflect the true state of\n         FISMA compliance. Areas include closure and completeness of\n         POA&Ms, implementation and review of configuration management\n         plans, and quality of annual testing. See Appendix D for FY 2007 grades\n         assigned by the CISO.\n      \xe2\x80\xa2 \t The OIS validation team does not ensure that all key C&A artifacts are\n         completed prior to validating an Authority To Operate (ATO) letter. The\n         team also does not ensure that POA&Ms are created for weaknesses\n         identified in the ATO letter and other key C&A artifacts.\n      \xe2\x80\xa2 \t The OIS validation team does not analyze POA&Ms and discuss with\n         system officials to determine the reasonableness of delayed completion of\n         POA&Ms or identify recurring and similar weaknesses across the\n         department.\n      \xe2\x80\xa2 \t The OIS validation team does not review classified systems\xe2\x80\x99 POA&Ms.\n\nSystem Inventory\n\n      DHS maintains its system inventory. Site visits during annual component\n      reviews help identify systems that have not been included in the department\xe2\x80\x99s\n      system inventory.\n\n      PROGRESS\n\n      \xe2\x80\xa2 \t DHS continues to maintain a comprehensive inventory of its major\n         applications and general support systems, including contractor and\n         national security systems. DHS identified 603 operational systems (as of\n         July 31, 2007).\n      \xe2\x80\xa2 \t DHS continues to maintain an effective process to update and manage its\n         inventory on an annual basis for agency, contractors, and classified\n         systems by reviewing the system inventory with each component.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2 \t Site visits to component offices outside the Washington D.C. area are not\n         being performed during the annual system inventory reviews. Site visits\n         can be used to determine if there are any systems that are not known by\n         the ISSM and that should be included in the inventory.\n\n      See Appendices E and F for system inventory and evaluation of DHS\xe2\x80\x99\n      oversight of contractor systems and quality of system inventory.\n\n       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                  Page 5\n\x0cCertification and Accreditation Process\n\n      DHS requires components to use an enterprise-wide tool that incorporates\n      NIST security controls to conduct their C&As. Components are required to\n      apply NIST SP 800-53 security controls for all system certifications and\n      self-assessments. For many of the systems that have been accredited by the\n      components, the artifacts required to support the C&A were either missing or\n      incomplete. In addition, many of the self-assessments were not being\n      properly completed by the components.\n\n      PROGRESS\n\n      \xe2\x80\xa2 \t The CISO requires components to apply NIST SP 800-53 security controls\n          for all system certifications and when completing annual self-assessments.\n      \xe2\x80\xa2 \t DHS uses 11 C&A artifacts, uploaded into Trusted Agent FISMA by the\n          components, to monitor their progress in accrediting systems. As of\n          July 31, 2007, the CISO reported that 84% of DHS\xe2\x80\x99 operational systems\n          (530/603) have been certified and accredited. The 11 artifacts are: ATO\n          letter, system security plan, security assessment report, risk assessment,\n          security test and evaluation, contingency plan, contingency plan test\n          results, Federal Information Processing Standards (FIPS) 199\n          determination, e-authentication determination, privacy threshold analysis\n          (PTA), and NIST SP 800-53. A total of 68 of the 73 systems that have not\n          been accredited belong to one component.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2 \t The C&A process requires documentation to include system security\n          plans, risk assessments, system test and evaluation plans, security\n          assessment reports, contingency plans, and contingency plan test results.\n          We selected 28 systems with current ATOs spanning 10 components to\n          evaluate the quality of DHS\xe2\x80\x99 C&A process. In 17 instances, the\n          accreditation packages were incomplete. Specifically, systems were\n          accredited, although some required security documents were missing key\n          information. Without this information, agency officials cannot make\n          credible, risk-based decisions on whether to authorize the system to\n          operate. For example:\n                   Eight\n                    \t    instances where system security plans were incomplete,\n                   including sections that describe detailed configuration management\n                   plans, security controls, and incident handling procedures.\n                   Eleven\n                    \t      instances where a description of the use of automated\n                   vulnerability assessment tools were not addressed.\n\n\n        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                   Page 6\n\x0c            Eleven\n             \t      instances where the effectiveness of controls were not\n            addressed.\n            Five\n             \t instances where contingency plans were incomplete,\n            including the identification of alternate processing facilities or\n            restoration procedures.\n            Eight instances where there was no system test and evaluation plan\n            or it was incomplete.\n            Three instances where there was no security assessment report or\n            the results of the test were not in the security assessment report.\n\n\xe2\x80\xa2 \t As of July 31, 2007, 16 systems that were accredited were lacking at least\n   one of three critical artifacts: risk assessment, system security plan, or\n   security assessment report. Six of the 16 lacked all three of these required\n   artifacts.\n\xe2\x80\xa2 \t As of July 31, 2007, 83 systems were accredited for 1 year or less,\n   including 23 for 6 months or less. We believe systems accredited for 6\n   months or less are in effect interim ATOs and should not be considered in\n   calculating the number of systems that DHS has accepted as accredited.\n\xe2\x80\xa2 \t We selected 33 systems spanning 13 components to evaluate the quality of\n   completed NIST SP 800-53 self-assessments. We determined whether\n   there was a compliance description for all applicable controls; supporting\n   documentation for all controls that had been tested; justification for any\n   controls that were not applicable (N/A); and that a POA&M was created\n   for all required controls that had not been tested. For 21 self-assessments,\n   there was no compliance description or supporting documentation for one\n   or more controls that were not tested. For 11 self-assessments, there was\n   no justification for not reviewing one or more of the required security\n   controls.\n\xe2\x80\xa2 \t During an OIG audit at FEMA (Improved Administration Can Enhance\n   Federal Emergency Management Agency Laptop Computer Security,\n   dated June 2007, OIG-07-50), we determined that its laptop computers had\n   not been certified and accredited. FEMA had not included its\n   approximately 32,000 laptops as part of any system.\n\xe2\x80\xa2 \t The CIO identifies systems to be accredited if an ATO letter has been\n   validated. We believe that systems with missing or deficient key C&A\n   artifacts and systems with an ATO of 6 months or less should not be\n   included in the number of systems the department reports as certified and\n   accredited. Based on our reviews, the actual number of systems that\n   should be accepted as being certified and accredited should be no higher\n   than 486 (81% rather than the 84% reported by the CISO).\n\nSee Appendix H for the OIG assessment of DHS\xe2\x80\x99 C&A process.\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                            Page 7\n\x0cPlan of Action and Milestones Process\n\n      DHS components are required to use Trusted Agent FISMA to capture and\n      track security weaknesses. The components are not entering and tracking all\n      IT security weaknesses in Trusted Agent FISMA nor are all of the data\n      entered by the components accurate and updated in a timely manner.\n\n      PROGRESS\n\n      \xe2\x80\xa2 \t DHS conducts monthly reviews of POA&Ms for completeness and\n          monitors the closure rate for initial and repeat audit findings. The findings\n          are reported to OIS and components.\n      \xe2\x80\xa2 \t POA&Ms have been created for all weaknesses identified during the\n          FY 2006 financial statement audit.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2 \t DHS components have not created POA&Ms for all known security\n          weaknesses. DHS relies on the component ISSMs and Information\n          Systems Security Officers (ISSOs) to ensure that POA&M information is\n          entered accurately and that weaknesses are resolved.\n                   Three\n                    \t     components (FEMA, National Protection and Programs\n                   Directorate (NPPD), and Science and Technology (S&T)) did not\n                   create POA&Ms for findings identified in OIG audit reports issued\n                   during FY 2007.\n                   We\n                    \t selected 33 systems where components reported that a NIST\n                   SP 800-53 self-assessment had been completed. When a control\n                   has not been tested and the weakness is not accepted based on a\n                   risk-based decision, a POA&M should be created to remediate the\n                   weakness. In 24 instances, POA&Ms were not created for controls\n                   that were not tested.\n                   We\n                    \t selected 28 systems, spanning 10 components, with current\n                   ATOs to evaluate the quality of the C&A documentation. In 10\n                   instances, POA&Ms were not created for weaknesses identified\n                   during the C&A process.\n      \xe2\x80\xa2 \t Based on an analysis of data in Trusted Agent FISMA, as of July 5, 2007,\n          the ISSMs and ISSOs are not maintaining current information as to the\n          progress of security weakness remediation.\n                   Component\n                    \t          management is not updating all weaknesses when the\n                   estimated completion date had been delayed. Of the 5,342 open\n                   POA&Ms that had estimated completion dates, 480 (9%) were at\n                   least 3 months past due (prior to April 5, 2007). Further, 277 had\n\n        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                   Page 8\n\x0c            an estimated completion date over 1 year old, dating as far back as\n            September 30, 2005.\n            Components\n             \t            are required to provide reasons why a POA&M is\n            delayed. As of July 5, 2007, 1,510 of 2,074 open POA&Ms\n            identified as delayed did not have a reason.\n            Resources\n             \t         required remediation for 387 of the 5,342 open\n            POA&Ms (7%) were not identified or listed the cost of\n            remediation as $1. For the remaining 4,955 POA&Ms that\n            included required resources, 296 (6%) did not specify the funding\n            sources.\n            Effective\n             \t        March 1, 2007, components were required to assign one\n            of the 17 NIST SP 800-53 families of controls to each weakness.\n            As of July 5, 2007, only 441 of the 2,179 open POA&Ms (20%)\n            created after March 1, 2007 had a NIST SP 800-53 control\n            assigned.\n            Effective\n             \t         March 1, 2007, ISSMs were required to review and\n            approve all priority 4 and priority 5 POA&Ms to ensure that the\n            weakness is properly identified, prioritized, and that appropriate\n            resources have been made available. Priority 4 weaknesses are\n            assigned to initial audit findings and priority 5 weaknesses for\n            repeat audit findings. In addition, any weakness can be assigned to\n            priority 4 or priority 5 by management. As of July 5, 2007, 148 of\n            150 priority 4 and priority 5 POA&Ms created after March 1, 2007\n            were not approved.\n\xe2\x80\xa2 \t Not all POA&Ms are being resolved in a timely manner, including\n   weaknesses identified as a significant deficiency.\n            As\n             \t of July 5, 2007, 1,447 of 5,342 open POA&Ms (27%) reported\n            estimated completion dates that were more than 2 years after the\n            identification of the weakness.\n            As\n             \t of July 5, 2007, there were 38 open weaknesses defined as\n            significant deficiencies. Seven POA&Ms were created over the 12\n            previous months. A significant deficiency is a weakness in an\n            organization\xe2\x80\x99s overall IT security program or management control\n            structure that significantly restricts the capability of the component\n            to carry out its mission or compromises the security of its\n            information, information system, personnel, or other resources,\n            operations, or assets. The risk is great enough that the organization\n            head must be notified and immediate or near-immediate corrective\n            action must be taken.\n\nSee Appendix G for the evaluation of DHS\xe2\x80\x99 POA&M process.\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                            Page 9\n\x0c                   Configuration Management\n\n                             DHS has updated its baseline software security configuration guides and are\n                             to be followed by the components when configuring their systems. A review\n                             of four systems identified that the components have not implemented all of the\n                             required software security configurations.\n\n                             PROGRESS\n\n                             \xe2\x80\xa2 \t DHS updated its agencywide security baseline configuration guides for\n                                 Windows NT/2000/2003/XP/Vista/Active Directory, Solaris, Unix, Linux,\n                                 Cisco Routers, Microsoft SQL server, and Oracle database servers in May\n                                 2007.\n\n                             ISSUES TO BE ADDRESSED\n\n                             \xe2\x80\xa2 \t Components have not fully implemented NIST SP 800-53 baseline\n                                 security controls, including DHS baseline security configuration\n                                 requirements, for all of their systems. Our review of four systems at two\n                                 components, FEMA and United States Immigration and Customs\n                                 Enforcement (ICE), in which the component reported that DHS security\n                                 configurations had been implemented, disclosed that NIST SP 800-53\n                                 baseline security controls had not implemented for their systems. NIST\n                                 controls that had not been implemented included those associated with\n                                 access control, audit and accountability, configuration management,\n                                 identification and authentication, and system and information integrity.\n                             \xe2\x80\xa2 \t The CIO does not have a verification process to validate whether\n                                 components have implemented DHS baseline configuration requirements.\n                             \xe2\x80\xa2 \t Vulnerability assessments performed at components during our laptop,\n                                 Plum Island Animal Disease Center, Ronald Reagan Washington National\n                                 Airport, and Dulles International Airport audits identified security\n                                 concerns with access control, identification and authentication, and\n                                 configuration management. In these instances, components had not\n                                 configured their systems based on DHS configuration guidelines.\n                                 Components included United States Customs and Border Protection\n                                 (CBP), FEMA, S&T, Transportation Security Administration (TSA), and\n                                 USCG.1\n\n\n\n1\n Improved Administration Can Enhance U.S. Customs and Border Protection Laptop Computer Security, dated December 2006\n(OIG-07-16); Technical Security Evaluation of DHS Activities at Dulles International Airport, dated January 2007 (OIG-07-25);\nAdditional Physical, System, and Management Controls Can Enhance Security at Plum Island, dated May 2007 (OIG-07-43);\nTechnical Security Evaluation of DHS Activities at Ronald Reagan Washington National Airport, dated May 2007 (OIG-07-44);\nImproved Administration Can Enhance Federal Emergency Management Agency Laptop Computer Security, dated June 2007\n(OIG-07-50).\n\n                               Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                                             Page 10\n\x0c                        \xe2\x80\xa2 \t Weak internal IT controls related to financial management systems were\n                             found during the audit of the department\xe2\x80\x99s financial statement for\n                             FY 2006.2 Security concerns included inadequate access controls,\n                             application controls, and software development and change controls.\n                             Note: POA&Ms have been created for each of the weaknesses identified.\n\n                        See Appendix J for information regarding DHS\xe2\x80\x99 configuration management.\n\n                Incident Detection, Handling, and Analysis Procedures\n\n                        DHS has improved its incident detection, handling, and analysis procedures\n                        during the last year and began performing vulnerability assessments at some\n                        components. However, the department has not fully implemented the\n                        vulnerability assessment program across the department.\n\n                        PROGRESS\n\n                        \xe2\x80\xa2 \t DHS issued the DHS Security Operations Concept of Operations in\n                             May 2007.\n                        \xe2\x80\xa2 \t DHS developed detailed procedures for reporting incidents externally to\n                             law enforcement authorities.\n                        \xe2\x80\xa2 \t The DHS Computer Security Incident Response Center developed detailed\n                             procedures for reporting incidents to the United States Computer\n                             Emergency Readiness Team (US-CERT).\n                        \xe2\x80\xa2 \t DHS developed procedures to perform department-wide security incident\n                             monitoring, analysis, and notification. The DHS Security Operations\n                             Center has begun to issue security event notifications to components.\n                        \xe2\x80\xa2 \t DHS Security Operations Center has performed vulnerability assessment\n                             scans at CBP, FEMA, and DHS headquarters.\n\n                        ISSUES TO BE ADDRESSED\n\n                        \xe2\x80\xa2 \t DHS\xe2\x80\x99 vulnerability assessment program has not been deployed\n                             department-wide. The program should be a comprehensive vulnerability\n                             alert, assessment, remediation, and reporting process to effectively\n                             identify computer security vulnerabilities and track mitigation efforts to\n                             resolution.\n                        \xe2\x80\xa2 \t Some components are not reporting incidents to the DHS Computer\n                             Security Incident Response Center, as required. Components are required\n                             to submit weekly incident reports. Five components - FEMA, Federal\n\n2\n Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit, dated August 2007\n(OIG-07-53).\n\n                          Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                                     Page 11\n\x0c          Law Enforcement Training Center (FLETC), ICE, OIG, and USCIS - did\n          not submit reports every week during an 11-week period that we reviewed.\n\n      See Appendix K for information regarding DHS\xe2\x80\x99 incident reporting.\n\nSecurity Training Procedures\n\n      DHS validates employee security training at the components. The\n      Information Security Training, Education, and Awareness Office (Training\n      Office) has not determined specific training that is needed for employees with\n      significant security responsibilities.\n\n      PROGRESS\n\n      \xe2\x80\xa2 \t The Training Office validates specialized security training for individuals\n          identified by the components with significant IT security responsibilities.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2 \t DHS (CIO and Office of Human Capital) has not implemented a\n          department-wide web-based IT security training program (learning\n          management system) to standardize security awareness training and to\n          track the completion of security training. The learning management\n          system was originally planned to be implemented in FY 2004; but it was\n          pushed back to FY 2007. Currently, the plan is to launch the system by\n          the end of September 2007 for DHS headquarters employees only. The\n          system is expected to be fully functional (available to all components) by\n          September 2009. We reported a similar issue in our FY 2006 FISMA\n          report.\n      \xe2\x80\xa2 \t The Training Office has not established appropriate specialized security\n          training that is needed for all employees and contractors with significant\n          IT security responsibilities. While the Training Office validates the\n          specialized training obtained by ISSMs and ISSOs, it relies on the\n          components to ensure that individuals with significant security\n          responsibilities (including system administrators, database administrators,\n          and network administrators, etc.) are properly trained. We reported a\n          similar issue in our FY 2006 FISMA report.\n      \xe2\x80\xa2 \t Some of the components\xe2\x80\x99 training plans were incomplete, as they did not\n          include all of the required information and approvals. For example, seven\n          training plans were not approved by the ISSM, seven plans did not include\n          the number of employees and contractors who need training, and nine\n          plans did not include the number of information systems security\n          employees.\n\n\n        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                   Page 12\n\x0c     \xe2\x80\xa2     Two components did not submit FY 2007 training plans.\n\n     See Appendix L for information regarding DHS\xe2\x80\x99 security awareness training.\n\nRecommendations\n     We recommend that the DHS CIO:\n     Recommendation #1: Improve the OIS\xe2\x80\x99 review process to ensure that all\n     POA&Ms, including classified systems, are complete, accurate, and current.\n     Specifically, the closure for all POA&Ms should be monitored by OIS to\n     ensure that security weaknesses are mitigated timely. POA&Ms should also\n     be reviewed by OIS to identify the causes for recurring and similar\n     weaknesses across the department and determine the reasonableness of\n     delayed completion.\n     Recommendation #2: Improve the OIS\xe2\x80\x99 review process to ensure that all\n     C&A documents are properly prepared before a system is accepted by the\n     CISO as an accredited system. Systems accredited by the Designated\n     Accrediting Authority should not be accepted unless all required artifacts are\n     complete and weaknesses are incorporated into POA&Ms.\n     Recommendation #3: Establish a process to ensure that configuration\n     requirements are implemented and maintained on all systems.\n     Recommendation #4: Implement a department-wide vulnerability assessment\n     program to perform periodic testing to evaluate DHS\xe2\x80\x99 security posture.\n     Recommendation #5: Establish appropriate training that is needed for all\n     individuals with significant security responsibilities.\n\n\nManagement Comments and OIG Analysis\n     DHS concurred with recommendation 1. The department significantly\n     improved component POA&M oversight in FY 2007. The department\xe2\x80\x99s FY\n     2008 performance plan will incorporate additional requirements to address\n     classified systems and unreasonable POA&M delays.\n\n     We agree that the steps DHS plans to take satisfy this recommendation.\n\n     DHS concurred with recommendation 2. The department achieved significant\n     improvements in producing key accreditation documentation in FY 2007. The\n     department\xe2\x80\x99s FY 2008 performance plans will incorporate additional\n     requirements to address artifact completeness and further identify weaknesses\n     in POA&Ms.\n\n     We agree that the steps DHS plans to take satisfy this recommendation.\n         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                    Page 13\n\x0cDHS concurred with recommendation 3. The department\xe2\x80\x99s FY 2008\nperformance plan will incorporate additional requirements to address a\nmonitoring process for configuration requirements at the system level, and for\nvalidating that components are completing annual vulnerability scans.\n\nWe agree that the steps DHS plans to take satisfy this recommendation.\n\nDHS concurred with recommendation 4. The DHS Security Operations\nCenter has begun performing component vulnerability assessments and will\ncontinue to perform them in FY 2008.\n\nWe agree that the steps DHS has taken, and plans to take satisfy this\nrecommendation.\n\nDHS concurred with recommendation 5. The department provides specialized\ntraining at its DHS Security Conference. The department\xe2\x80\x99s FY 2008\nperformance plan will incorporate additional requirements to track individuals\nand establish appropriate training.\n\nWe agree that the steps DHS plans to take satisfy this recommendation.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                            Page 14\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n                    The objective of this review was to determine whether DHS has developed\n                    adequate and effective information security policies, procedures, and\n                    practices, in compliance with FISMA. In addition, we evaluated DHS\xe2\x80\x99\n                    progress in developing, managing, and implementing its information security\n                    program.\n\n                    Our independent evaluation focused on DHS\xe2\x80\x99 information security program\n                    and practices, based on the requirements outlined in FISMA and, using OMB\n                    Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal\n                    Information Security Management Act and Agency Privacy Management,\n                    issued on July 25, 2007. We conducted our work at the program level and at\n                    DHS\xe2\x80\x99 major components: CBP, DHS Management, FEMA, FLETC, ICE,\n                    OIG, NPPD, S&T, TSA, USCG, USCIS, and United States Secret Service\n                    (USSS).\n\n                    In addition to our independent evaluation, we conducted reviews of DHS\xe2\x80\x99\n                    information systems and security program-related areas throughout\n                    FY 2007. This report includes results of a limited number of systems\n                    evaluated during our past and on-going financial statement review, laptop\n                    security, Plum Island Animal Disease Center, and technical evaluations at two\n                    airports audits.\n\n                    As part of our evaluation of DHS\xe2\x80\x99 compliance with FISMA, we assessed DHS\n                    and its components\xe2\x80\x99 compliance with the security requirements mandated by\n                    FISMA and other federal information systems\xe2\x80\x99 security policies, procedures,\n                    standards, and guidelines including NIST SP 800-37, and FIPS 199.\n                    Specifically, we (1) used last year\xe2\x80\x99s FISMA independent evaluation as a\n                    baseline for this year\xe2\x80\x99s review and assessed the progress that DHS has made\n                    in resolving weaknesses previously identified; (2) focused on reviewing DHS\xe2\x80\x99\n                    POA&M process to ensure that all security weaknesses are identified, tracked,\n                    and addressed; (3) reviewed policies, procedures, and practices that DHS has\n                    at the program level and at the component level; (4) evaluated processes, i.e.,\n                    system inventory, C&A, security training, and incident response, that DHS\n                    has implemented as part of its agencywide information security program; and,\n                    (5) developed our independent evaluation of DHS\xe2\x80\x99 information security\n                    program.\n\n                    We reviewed the quality of the C&A packages for a sample of 28 systems and\n                    33 NIST SP 800-53 self-assessments at 13 components: CBP, DHS\n                    Management, FEMA, FLETC, ICE, NPPD, OIG, S&T, TSA, USCG, USCIS,\n                    USSS, and United States Visitor and Immigrant Status Indicator Technology\n                    (US-VISIT), to ensure that all of the required documents were completed prior\n                    to being accredited.\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                                Page 15\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                    We conducted our evaluation between June and August 2007 under the\n                    authority of the Inspector General Act of 1978, as amended, and according to\n                    the Quality Standards for Inspections issued by the President\xe2\x80\x99s Council on\n                    Integrity and Efficiency. Major OIG contributors to the evaluation are\n                    identified in Appendix M.\n\n                    The principal OIG points of contact for the evaluation are Frank Deffer,\n                    Assistant Inspector General, Office of Information Technology at\n                    (202) 254-4100 and Edward G. Coleman, Director, Information Security\n                    Audits Division at (202) 254-5444.\n\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                                Page 16\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                Page 17 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                Page 18 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                Page 19 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                Page 20 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                Page 21 \n\n\x0cAppendix C\nFISMA Scorecard and C&A Steady State Scorecard for July 2007\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                               Page 22 \n\n\x0cAppendix C\nFISMA Scorecard and C&A Steady State Scorecard for July 2007\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                               Page 23 \n\n\x0cAppendix C\nFISMA Scorecard and C&A Steady State Scorecard for July 2007\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                               Page 24 \n\n\x0cAppendix D\nFY 2007 Monthly Component FISMA Scorecard Grades\n\n\n\n\n                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                             Page 25 \n\n\x0cAppendix E\nFISMA System Inventory and Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n\n                                                                                    Question 1: FISMA System Inventory\n1.     As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized).\nExtend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of an\nagency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the\nrequirements of law. Self-reporting by another Federal agency, for example, a Federal service provider may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n                                          Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by the IG by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current\ncertification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                                     Question 1                                                                                          Question 2\n                                         a.                         b.                               c.                                 a.                                  b.                                   c.\n                                   Agency Systems           Contractor Systems           Total Number of Systems              Number of systems               Number of systems for which              Number of systems for\n                                                                                         (Agency and Contractor             certified and accredited           security controls have been            which contingency plans\n                                                                                                 systems)                              (a)                   tested and reviewed in the last             have been tested in\n                                                                                                                                                                           year                        accordance with policy\n     Bureau    FIPS 199 Risk                    Number                   Number          Total         Total Number\n                                   Number                   Number                                                       Total Number Percent of Total       Total Number      Percent of Total     Total Number Percent of Total\n      Name     Impact Level                    Reviewed                 Reviewed        Number          Reviewed\nCBP           High                                 3                         0                               3                 3/ 2             67%                3                 100%                  2                 67%\n              Moderate                             3                         0                               3                 3/ 2             67%                3                 100%                  2                 67%\n              Low                                  1                         0                               1                  1              100%                1                 100%                  1                 100%\n              Sub-total               41           7           2             0             43                7                 7/ 5             71%                7                 100%                  5                 71%\nUSCIS         Moderate                             6                        12                               18                4/ 2             11%                6                  33%                 17                 94%\n              Low                                  0                         2                               2                  1               50%                1                  50%                  2                 100%\n              Sub-total               59           6           34           14             93                20                5/ 3             15%                7                 35%                  19                 95%\nFEMA          High                                 8                         0                               8                 7/ 5             63%                7                  88%                  4                 50%\n              Moderate                             0                         1                               1                 1/ 0             0%                 1                 100%                  0                 0%\n              Not Categorized                      2                         0              0                2                  0               0%                 0                  0%                   0                 0%\n              Sub-total               38           10          18            1             56               11                 8/ 5             45%                8                 73%                   4                 36%\nFLETC         Moderate                             3                         0                              3                   3              100%                3                 100%                  2                 67%\n              Low                                  1                         0                              1                  1/ 0             0%                 1                 100%                  0                 0%\n              Sub-total               9            4           2             0             11               4                  4/ 3             75%                4                 100%                  2                 50%\nIA            Sub-total               3            0           0             0              3               0                   0               0%                 0                  0%                   0                 0%\nOper Coord Sub-total                  2            0           1             0              3               0                   0               0%                 0                  0%                   0                 0%\n\n\n\n\n                                                                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                                                                             Page 26 \n\n\x0cAppendix E\nFISMA System Inventory and Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n\n  Bureau       FIPS 199 Risk              Number                 Number        Total      Total Number\n                                Number              Number                                                 Total Number   Percent of Total   Total Number   Percent of Total   Total Number Percent of Total\n   Name        Impact Level              Reviewed               Reviewed      Number        Reviewed\nICE           High                           3                      1                           4              4/ 3             75%               3               75%               4             100%\n              Moderate                       3                      2                           5              4/ 3             60%               5              100%               2             40%\n              Low                            1                      1                           2               2              100%               2              100%               2             100%\n              Sub-total           40         7         58           4            98             11             10/ 8           73%                10             91%                8             73%\nInfrastructure High                          0                      1                           1              1/ 0             0%                1              100%               1             100%\n              Moderate                       1                      1                           2               2              100%               2              100%               1             50%\n              Sub-total           5          1         14           2            19             3              3/ 2            67%                3              100%               2             67%\nNPPD          High                           1                      1                           2              2/ 1             50%               2              100%               1             50%\n              Moderate                       1                      2                           3              3/ 2             67%               3              100%               3             100%\n              Low                            0                      1                           1              1/ 0             0%                1              100%               0              0%\n              Sub-total           6          2         11           4            17             6              6/ 3            50%                6              100%               4             67%\nOIG           High                           1                      0                           1               1              100%               1              100%               1             100%\n              Sub-total           3          1          0           0            3              1               1              100%               1              100%               1             100%\nS&T           Moderate                       4                      0                           4               3               75%               3               75%               2             50%\n              Low                            1                      2                           3               1               33%               1               33%               1             33%\n              Sub-total           11         5          9           2            20             7               4              57%                4              57%                3             43%\nTSA           High                           0                      1                           1               1              100%               1              100%               1             100%\n              Moderate                       0                      1                           1               1              100%               1              100%               1             100%\n              Low                            0                      1                           1               1              100%               1              100%               1             100%\n              Sub-total           47         0         24           3            71             3               3              100%               3              100%               3             100%\nUSCG          High                           2                      0                           2              2/ 0             0%                2              100%               1             50%\n              Moderate                       3                      1                           4              3/ 1             25%               4              100%               2             50%\n              Low                            1                      0                           1              1/ 0             0%                1              100%               1             100%\n              Sub-total           96         6         27           1           123             7              6/ 1            14%                7              100%               4             57%\nUSSS          High                           2                      0                           2              2/ 1             50%               2              100%               1             50%\n              Moderate                       1                      0                           1              1/ 0             0%                1              100%               0              0%\n              Sub-total           34         3          1           0            35             3              3/ 1            33%                3              100%               1             33%\nUS-VISIT      Low                            0                      1                           1               1              100%               1              100%               0              0%\n              Sub-total           2          0          6           1            8              1               1              100%               1              100%               0              0%\nAgency\nTotals        High               136         20        58           4           194             24            23/ 14            58%               22              92%               16            67%\n              Moderate           210         25        118         20           328             45            42/ 19            42%               32              71%               32            71%\n              Low                 49         5         31           8            80             13             11/ 7            54%               10              77%               8             62%\n              Not Categorized     1          2          0           0            1              2               0               0%                0               0%                0              0%\n\n              Total              396        52        207          32           603            84             62/ 40           48%               64              76%                56            67%\n\nComments: (a) Per CISO procedures, the number of systems certified and accredited is based on a validated ATO letter, not on the adequacy of the documents required. If in our determination, the\nsystems should not have been accredited based upon the quality of the artifacts, the revised number is shown next to the original total. The percent of total is based on the OIG\xe2\x80\x99s count of systems\naccredited.\n\n                                                             Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                                                               Page 27 \n\n\x0cAppendix F\nEvaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n\n\n  Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency\n                                    System Inventory\n    In the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n            The agency performs oversight and evaluation to ensure information systems\n            used or operated by a contractor of the agency or other organization on behalf\n            of the agency meet the requirements of FISMA, OMB policy and NIST\n            guidelines, national security policy, and agency policy.\n\n           Agencies are responsible for ensuring the security of information systems\n           used by a contractor of their agency or other organization on behalf of their\n           agency; therefore, self-reporting by contractors does not meet the\n           requirements of law. Self-reporting by another federal agency, for example, a - Almost Always- for example,\n   3.a.                                                                                                                    (a)\n           federal service provider may be sufficient. Agencies and service providers    approximately 96-100% of the time\n           have a shared responsibility for FISMA compliance.\n\n           Response Categories:\n              Rarely- for example, approximately 0-50% of the time\n              Sometimes- for example, approximately 51-70% of the time\n              Frequently- for example, approximately 71-80% of the time\n              Mostly- for example, approximately 81-95% of the time\n              Almost Always- for example, approximately 96-100% of the time\n           The agency has developed a complete inventory of major information systems\n           (including major national security systems) operated by or under the control\n           of such agency, including an identification of the interfaces between each\n           such system and all other systems or networks, including those not operated\n           by or under the control of the agency.\n   3.b.                                                                                     Approximately 96-100% complete\n           Response Categories:\n              The inventory is approximately 0-50% complete\n              The inventory is approximately 51-70% complete\n              The inventory is approximately 71-80% complete\n              The inventory is approximately 81-95% complete\n              The inventory is approximately 96-100% complete\n\n           The IG generally agrees with the CIO on the number of agency-owned\n   3.c.                                                                                                    Yes\n           systems. Yes or No.\n\n           The IG generally agrees with the CIO on the number of information systems\n   3.d.    used or operated by a contractor of the agency or other organization on behalf                  Yes\n           of the agency. Yes or No.\n\n   3.e.    The agency inventory is maintained and updated at least annually.                               Yes\n\n\nComments:\n(a)\t DHS requires contractor systems to be evaluated in the same manner as agency owned systems. As of\n     July 31, 2007, NIST SP 800-53 self-assessments have been performed for all operational contractor systems.\n     This response is a result of DHS\xe2\x80\x99 reported performance metrics. The OIG has not evaluated the quality of\n     assessments performed.\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                           Page 28 \n\n\x0cAppendix G\nEvaluation of Agency Plan of Action and Milestones Process\n\n\n\n       Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\n\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and\nmilestones (POA&M) process. Evaluate the degree to which each statement reflects the status in your agency by\nchoosing from the responses provided. If appropriate or necessary, include comments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n   Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n   Frequently- for example, approximately 71-80% of the time\n   Mostly- for example, approximately 81-95% of the time\n   Almost Always- for example, approximately 96-100% of the time\n\n           The POA&M is an agency-wide process, incorporating all known IT\n           security weaknesses associated with information systems used or                - Almost Always, for example,\n   4.a.                                                                                                                    (a)\n           operated by the agency or by a contractor of the agency or other              approximately 96-100% of the time\n           organization on behalf of the agency.\n           When an IT security weakness is identified, program officials (including       - Sometimes, for example,\n   4.b.    CIOs, if they own or operate a system) develop, implement, and manage                                          (b)\n                                                                                         approximately 51-70% of the time\n           POA&Ms for their system(s).\n           Program officials and contractors report their progress on security            - Mostly- for example, approximately\n   4.c.                                                                                                     (c)\n           weakness remediation to the CIO on a regular basis (at least quarterly).      81-95% of the time\n\n           Agency CIO centrally tracks, maintains, and reviews POA&M activities - Sometimes, for example,\n   4.d.                                                                                                          (d)\n           on at least a quarterly basis.                                       approximately 51-70% of the time\n                                                                                          - Mostly, for example, approximately\n   4.e.    IG findings are incorporated into the POA&M process.                                             (e)\n                                                                                         81-95% of the time\n           POA&M process prioritizes IT security weaknesses to help ensure          - Mostly- for example, approximately\n   4.f.    significant IT security weaknesses are addressed in a timely manner and                    (f)\n                                                                                   81-95% of the time\n           receive appropriate resources.\n\n           POA&M process comments:\n\n           (a) DHS requires all known IT security weaknesses be included in Trusted Agent FISMA.\n           (b) DHS requires components to create POA&Ms for all IT security weaknesses. However, there were instances during\n               our review of the C&A process and NIST SP 800-53 self-assessments where POA&Ms were not created for all\n               weaknesses identified or controls not tested. In addition, many of the POA&Ms did not contain all required\n               information, such as resources required for remediation.\n           (c) DHS components are required to update all information in their POA&Ms at least monthly. However, as of\n               July 5, 2007, 9% of open POA&Ms had estimated completion dates that were at least 3 months past due (prior to\n               April 5, 2007), including 277 that had estimated completion dates more than 1 year old.\n           (d) The CIO conducts monthly reviews of the POA&Ms for status and completion and issues reports to the components.\n               However, the CIO does not review POA&Ms for classified systems and does not analyze POA&Ms to determine the\n               reasonableness of delayed completion of POA&Ms or identify recurring or similar weaknesses across the department.\n           (e) DHS requires all OIG findings be included in each component\xe2\x80\x99s POA&M. We determined that 88% of findings were\n               incorporated into a POA&M.\n           (f) DHS prioritizes its IT security weaknesses. However, 7 of 38 open significant weaknesses (18%) were created more\n               than 12 months ago and 8 of the 38 (21%) did not have resources identified.\n           .\n\n\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                        Page 29 \n\n\x0cAppendix H\nIG Assessment of the Certification and Accreditation Process\n\n\n\n              Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to\nexisting policy, guidance, and standards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal\nInformation Systems" (May 2004) for certification and accreditation work initiated after May 2004. This includes use of\nthe FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems" (February 2004) to\ndetermine a system impact level, as well as associated NIST document used as guidance for completing risk assessments\nand security plans.\n\n           The IG rates the overall quality of the Agency\'s\n           certification and accreditation process as:\n\n           Response Categories:\n                                                                                   (a)\n   5.a.       Excellent                                             Satisfactory\n              Good\n              Satisfactory\n              Poor\n            - Failing\n\n           The IG\'s quality rating included or considered   Security plan                                           X\n           the following aspects of the C&A process: (check\n           all that apply)                                  System impact level                                     X\n                                                            System test and evaluation                              X\n                                                                  Security control testing                          X\n   5.b.                                                           Incident handling                                 X\n                                                                  Security awareness training                       X\n                                                                  Configurations/patching                            X\n                                                                  Other: privacy impact assessment, risk assessment,\n                                                                  contingency plan, contingency plan testing, security\n                                                                  assessment report\n           C&A process comments:\n\n           (a) DHS has implemented a good C&A process. DHS uses a department-wide tool that\n               incorporates NIST security controls to certify and accredit all systems. The CIO requires all\n               components to use this tool. Components are required to apply NIST SP 800-53 security\n               controls for all system certifications. However, for many systems, the artifacts that are required\n               to certify and accredit a system were either missing or incomplete. Our review of 28 C&A\n               packages at 10 components found 17 instances in which accreditation packages were\n               incomplete. Specifically, systems were accredited, although some security documents were\n               missing key information that is required to meet all applicable DHS, OMB, and NIST\n               guidelines.\n\n\n\n\n                       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                      Page 30 \n\n\x0cAppendix I\nIG Assessment of Agency Privacy Program and Privacy Impact Assessment Process\n\n\n Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA)\n                                         Process\n  6.a. \t   Provide a qualitative assessment of the agency\'s Privacy Impact\n           Assessment (PIA) process, as discussed in Section D II.4 (Senior\n           Agency Official for Privacy reporting template), including\n           adherence to existing policy, guidance, and standards.\n\n           Response Categories:                                                                              Good\n            - Excellent\n            - Good\n            - Satisfactory\n            - Poor\n            - Failing\n           Comments:\n\n           DHS has taken steps to continually improve its PIA guidance. The most recent guidance issued by the Privacy Office\n           increased the emphasis on describing the privacy analysis that should take place in making a system design decision\n           that affects privacy. The Privacy Office requires a PTA for all systems to determine if a PIA is required. The PTA\n           was specifically designed to identify which systems in the DHS information system inventory collect or use\n           personally identifiable information (PII), which systems require a PIA, and which need a Privacy Act System of\n           Records Notice. The Privacy Office has further refined the PTA over the past 2 years and it is now a key aspect of the\n           privacy compliance process. The PIA guidance provides information on when a PIA must be conducted, how\n           associated analysis should be performed, and how the PIA document should be written. The Privacy Office requires\n           more detail requirements than required by OMB.\n\n\n  6.b.     Provide a qualitative assessment of the agency\'s progress to date\n           in implementing the provisions of M-06-15, "Safeguarding\n           Personally Identifiable Information" since the most recent self-\n           review, including the agency\'s policies and processes, and the\n           administrative, technical, and physical means used to control and\n           protect personally identifiable information (PII).\n                                                                                                             Good\n           Response Categories:\n            - Excellent\n            - Good\n            - Satisfactory\n            - Poor\n            - Failing\n\n           Comments:\n\n           DHS has taken actions to integrate privacy considerations into the DHS decision-making process by establishing an\n           advisory committee, holding public workshops, and participating in policy development. The Chief Privacy Officer\n           and CIO issued a memorandum in June 2006 to all DHS employees and contractors reinforcing their obligations to\n           safeguard PII. In September 2006, DHS updated its IT security policies to cover the technical safeguards in\n           identifying the requirements surrounding the protection of PII. In 2007; the Privacy Office issued guidance regarding\n           the use of social security numbers at DHS; and the collection, use, retention, and dissemination of information on\n           non-U.S. citizens. In June 2007, the Under Secretary for Management and Chief Privacy Officer requested that all\n           DHS components perform self-assessments of the handling of PII by August 15, 2007, and provide privacy and IT\n           security awareness training to all employees and contractors by September 15, 2007. The Privacy Office is also\n           continually refining the PTA process to identify systems that maintain PII.\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                           Page 31 \n\n\x0cAppendix J\nConfiguration Management\n\n\n\n                                     Question 7: Configuration Management\n\n      7.a.      Is there an agency-wide security configuration policy? Yes\n                                                                                                          Yes\n                or No.\n                Comments:\n                DHS has included in its agency-wide policy the requirement that all components ensure that the\n                installation of hardware and software products meet the requirements specified in applicable DHS secure\n                baseline configuration guides. DHS has developed configuration guides for all major hardware and\n                software systems being used by its components.\n                Approximate the extent to which applicable information\n      7.b.      systems apply common security configurations established\n                by NIST.\n\n                Response categories:\n                                                                                                    See comment (a)\n                 -   Rarely- for example, approximately 0-50% of the time\n                 -   Sometimes- for example, approximately 51-70% of the time\n                 -   Frequently- for example, approximately 71-80% of the time\n                 -   Mostly- for example, approximately 81-95% of the time\n                 -   Almost Always- for example, approximately 96-100% of the time\n\n\nComments:\n\n(a)\t Many of the components use standard configurations for their systems, but have not fully implemented DHS\'\n     baseline configuration guides. In addition, while the CIO has performed procedural and documentation reviews\n     at each component to determine whether configuration management processes are in place, no testing has been\n     performed to determine whether components are in compliance with DHS baseline configurations (or other\n     system configuration guides). Results of vulnerability assessments during the fiscal year have identified\n     security concerns, including inadequate password controls, patches not installed, and configuration settings that\n     are not in agreement with DHS baseline configurations.\n\n\n\n\n                          Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                          Page 32 \n\n\x0cAppendix K\nIncident Reporting\n\n\n\n                                          Question 8: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally,\nto US-CERT, and to law enforcement. If appropriate or necessary, include comments in the area provided below.\n\n              The agency follows documented policies and procedures for                              (a)\n     8.a.                                                                                      Yes\n              identifying and reporting incidents internally. Yes or No.\n              The agency follows documented policies and procedures for\n     8.b.     external reporting to US-CERT. Yes or No.                                         Yes\n              (http://www.us-cert.gov)\n              The agency follows documented policies and procedures for\n     8.c.                                                                                       Yes\n              reporting to law enforcement. Yes or No.\n\n              Comments:\n\n              (a) While DHS requires components to submit weekly incident reports, during an 11-week period in FY 2007,\n                  five major components (FEMA, FLETC, ICE, OIG, USCIS) did not submit reports every week.\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                    Page 33 \n\n\x0cAppendix L\nSecurity Awareness Training, Peer-to-Peer File Sharing, and E-Authentication Risk Assessments\n\n\n\n                                      Question 9: Security Awareness Training\nHas the agency ensured security awareness training of all employees,\nincluding contractors and those employees with significant IT security\nresponsibilities?\n\nResponse Categories:                                                                Mostly, or, approximately 81-95% of\n   Rarely- or approximately 0-50% of employees                                     employees\n - Sometimes- or approximately 51-70% of employees\n   Frequently- or approximately 71-80% of employees\n   Mostly- or approximately 81-95% of employees\n   Almost Always- or approximately 96-100% of employees\n   Comments:\n   The Training Office is validating components training data to ensure that the components provide IT security awareness\n   training to its employees. The Training Office has begun validating training for employees with significant IT security\n   responsibilities, however, all employees, including contractors, with significant IT security responsibilities, have not been\n   identified. In addition, the Training Office has not established appropriate training that is needed for all individuals with\n   significant IT security responsibilities (including network, database and system administrators).\n\n                                        Question 10: Peer-to-Peer File Sharing\nDoes the agency explain policies regarding peer-to-peer file sharing in IT\nsecurity awareness training, ethics training, or any other agency-wide                                Yes\ntraining? Yes or No.\n    Comments:\n    Two components did not explain DHS\xe2\x80\x99 policy regarding peer-to-peer file sharing risks during its IT security awareness\n    training.\n\n\n\n\n                                 Question 11: E-Authentication Risk Assessments\nThe agency has completed system e-authentication risk assessments. Yes or\n                                                                                                          Yes\nNo.\n\n\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                       Page 34 \n\n\x0cAppendix M\nMajor Contributors to this Report\n\n\n\n                      Information Security Audit Division\n\n                      Edward G. Coleman, Director\n                      Jeff Arman, Audit Manager\n                      Chiu-Tong Tsang, Senior IT Auditor\n                      Maria Rodriguez, Senior IT Auditor\n                      Charles Twitty, IT Auditor\n                      Swati Mahajan, IT Specialist\n                      Amanda Strickler, IT Specialist\n                      Tom Rohrback, Management/Program Assistant\n                      Steve Ressler, Referencer\n\n                      Advanced Technology Division\n\n                      Richard Saunders, Director\n                      Ginger Doetsch, Senior Security Engineer\n                      Blake Bommelje, IT Specialist\n\n\n\n\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007\n\n                                                 Page 35\n\x0cAppendix N\nReport Distribution\n\n\n\n                        Department of Homeland Security\n\n                        Secretary\n                        Deputy Secretary\n                        Chief of Staff\n                        Deputy Chief of Staff\n                        General Counsel\n                        Executive Secretary\n                        Assistant Secretary for Legislative and Intergovernmental Affairs\n                        Assistant Secretary for Policy\n                        Assistant Secretary for Public Affairs\n                        Chief Information Officer\n                        Deputy Chief Information Officer\n                        Chief Financial Officer\n                        Chief Privacy Officer\n                        Chief Human Capital Officer\n                        Chief Information Security Officer\n                        Director, GAO/OIG Liaison Office\n                        Director, Compliance and Oversight Program, Office of CIO\n                        Director, Information Security Audit Division\n                        Chief Information Officer Audit Liaison\n                        Chief Information Security Officer Audit Liaison\n                        Component CIOs\n                        Component ISSMs\n\n                        Office of Management and Budget\n\n                        Chief, Homeland Security Branch\n                        DHS OIG Budget Examiner\n\n                        Congress\n\n                        Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 \n\n\n                                                    Page 36 \n\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at: \n\n           DHS Office of Inspector General/MAIL STOP 2600, \n\n           Attention: Office of Investigations - Hotline, \n\n           245 Murray Drive, SW, Building 410, Washington, DC 20528. \n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'